| ESXI5-VMNET-000001 - All dvPortgroup VLAN IDs must be fully documented. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000002 - All dvSwitch Private VLAN IDs must be fully documented. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000003 - All virtual switches must have a clear network label. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000004 - Virtual switch VLANs must be fully documented and have only the required VLANs. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000005 - All vSwitch and VLAN IDs must be fully documented - 'vSwitch labels' | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000006 - All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000007 - Only authorized administrators must have access to virtual networking components. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000008 - All physical switch ports must be configured with spanning tree disabled. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000009 - All port groups must be configured with a clear network label. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000010 - All port groups must be configured to a value other than that of the native VLAN. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000011 - All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT) - VGT | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000012 - All port groups must not be configured to VLAN values reserved by upstream physical switches. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000013 - The system must ensure that the virtual switch Forged Transmits policy is set to reject. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000014 - The system must ensure that the dvPortgroup Forged Transmits policy is set to reject. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000015 - The system must ensure the dvPortGroup MAC Address Change policy is set to reject. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000016 - The system must ensure the virtual switch MAC Address Change policy is set to reject. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000017 - The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000018 - The system must ensure the virtual switch Promiscuous Mode policy is set to reject. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000019 - The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000020 - The system must ensure there are no unused ports on a distributed virtual port group. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000021 - vMotion traffic must be isolated. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000023 - Access to the management network must be strictly controlled through a network gateway. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000024 - Access to the management network must be strictly controlled through a network jump box. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000025 - Spanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000026 - The system must disable the autoexpand option for VDS dvPortgroups. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000036 - All IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch. | CONFIGURATION MANAGEMENT |
| ESXI5-VMNET-000046 - All IP-based storage traffic must be isolated using a vSwitch containing management-only port groups. | CONFIGURATION MANAGEMENT |
| GEN000100-ESXI5-000062 - The operating system must be a supported release. | CONFIGURATION MANAGEMENT |
| GEN000240-ESXI5-000058 - The system clock must be synchronized to an authoritative DoD time source. | CONFIGURATION MANAGEMENT |
| GEN000380-ESXI5-000043 - The GID assigned to a user must exist. | CONFIGURATION MANAGEMENT |
| GEN000585-ESXI5-000080 - The system must enforce the entire password during authentication. | CONFIGURATION MANAGEMENT |
| GEN000790-ESXI5-000085 - The system must prevent the use of dictionary words for passwords - V-39246 | CONFIGURATION MANAGEMENT |
| GEN000790-ESXI5-000085 - The system must prevent the use of dictionary words for passwords - V-39418 | CONFIGURATION MANAGEMENT |
| GEN000940-ESXI5-000042 - The root accounts executable search path must be the vendor default and must contain only absolute paths. | CONFIGURATION MANAGEMENT |
| GEN000945-ESXI5-000333 - The root accounts library search path must be the system default and must contain only absolute paths. | CONFIGURATION MANAGEMENT |
| GEN000950-ESXI5-444 - The root accounts list of preloaded libraries must be empty. | CONFIGURATION MANAGEMENT |
| GEN001375-ESXI5-000086 - For systems using DNS resolution, at least two name servers must be configured. | CONFIGURATION MANAGEMENT |
| GEN002120-ESXI5-000045 - The /etc/shells (or equivalent) file must exist - or equivalent file must exist | CONFIGURATION MANAGEMENT |
| GEN002140-ESXI5-000046 - All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins. | CONFIGURATION MANAGEMENT |
| GEN002260-ESXI5-000047 - The system must be checked for extraneous device files at least weekly. | CONFIGURATION MANAGEMENT |
| GEN002400-ESXI5-10047 - The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files. | CONFIGURATION MANAGEMENT |
| GEN002420-ESXI5-00878 - Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option. | CONFIGURATION MANAGEMENT |
| GEN002430-ESXI5 - Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option. | CONFIGURATION MANAGEMENT |
| GEN002460-ESXI5-20047 - The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files. | CONFIGURATION MANAGEMENT |
| GEN003510-ESXI5-006660 - Kernel core dumps must be disabled unless needed. | CONFIGURATION MANAGEMENT |
| GEN005300-ESXI5-000099 - SNMP communities, users, and passphrases must be changed from the default. | CONFIGURATION MANAGEMENT |
| GEN005440-ESXI5-000078 - The system must not be used as a syslog server (log host) for systems external to the enclave - log host for systems external to the enclave | CONFIGURATION MANAGEMENT |
| GEN005460-ESXI5-000060 - The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures. | CONFIGURATION MANAGEMENT |
| GEN005501-ESXI5-9778 - The SSH client must be configured to only use the SSHv2 protocol. | CONFIGURATION MANAGEMENT |
| GEN005515-ESXI5-000100 - The SSH daemon must be configured to not allow TCP connection forwarding. | CONFIGURATION MANAGEMENT |
